Payment Initiation APIs
Payload Signing
This section provides steps for signing the payload and generating a valid x-jws-signature.
Step 1: Identify the private key and corresponding signing certificate to be used for signing
The signer must use a private key that has a corresponding digital certificate (that contains the corresponding public key) issued by OB. The signing certificate must be valid at the time of creating the JWS.
Step 2: Form the JOSE Header
The JOSE Header for the signature must contain the following fields
| Claim | Description |
|---|---|
| alg | PS256 is the supported algorithms used for signing JWS |
| typ | This is an optional claim. If it is specified, it must be set to the value "JOSE" |
| cty | This is an optional claim. If it is specified, it must be set to the value "json" or "application/json". |
| kid | This must match the certificate id of the certificate selected in step 1. |
| http://openbanking.org.uk/iat | This must be a JSON number representing the number of seconds from 1970-01-01T0:0:0Z as measured in UTC until the date/time. This is a private header parameter name. (See RFC 7515 - Private Header Parameter Names) |
| http://openbanking.org.uk/iss | This must be a string containing the id of the TPP. This must match the dn of the signing certificate. This is a private header parameter name. (See RFC 7515 - Private Header Parameter Names) |
| http://openbanking.org.uk/tan | This must be a string that consists of a domain name that is registered to and identifies the Trust Anchor that hosts the public counter-part of the key used for signing. For example, when using the Open Banking Directory, the value must be openbanking.org.uk |
| crit | This must be a string array consisting of the values "http://openbanking.org.uk/tan", "http://openbanking.org.uk/iat", "http://openbanking.org.uk/iss". This indicates that the JWS signature validator must understand and process the three additional claims. |
Sample JOSE Header
{
"alg": "PS256",
"kid": "rt0rxv7lo86ohb6wNLDheQrEfyY",
"http://openbanking.org.uk/iat": 1676304306,
"http://openbanking.org.uk/iss": "organisationID/clientId",
"http://openbanking.org.uk/tan": "openbanking.org.uk",
"crit": [
"http://openbanking.org.uk/iat",
"http://openbanking.org.uk/tan",
"http://openbanking.org.uk/iss"
],
"cty": "application/json",
"typ": "JOSE"
}Step 3: Compute the JWS
The signer must compute the signature as a detached JWS as defined in RFC 7515.
detachedJWS = base64Encode( JOSEHeader) + ".." + base64Encode ( encrypt (privateKey, base64Encode(json)))Step 4: Add the JWS as a HTTP header
The signer must include an HTTP header called x-jws-signature with its value set to the signature computed in Step 3.
x-jws-signature: V2hhdCBoYXRoIGdvZCB3cm91Z2h0ID8=..QnkgR2VvcmdlLCBzaGUncyBnb3QgaXQhIEJ5IEdlb3JnZSBzaGUncyBnb3QgaXQhIE5vdyBvbmNlIGFnYWluLCB3aGVyZSBkb2VzIGl0IHJhaW4/